CORS support - SSO

SSO Server

CORS with authentication enabled

Resources that require to authenticate the user via Authentication header are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.

  • Access-Control-Allow-Headers: Authorization

  • Access-Control-Expose-Headers: WWW-Authenticate
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS with credentials enabled

Resources that require to authenticate the user with credentials are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/refresh/*
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/saml2/metadata.xml
/uas/wsf/FederationMetadata.xml
/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/*
/uas/template/*
/uas/resource/*
Discovery and Template API
/uas/status
/uas/ping
Status endpoints

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

Password

All CORS requests are blocked.

Management Console

All CORS requests are blocked.

Troubleshooting

You can verify the CORS configuration from the diagnostic logs, see Diag log description:

  • set debug level for INIT for basic filter setup
  • set debug level for com.ubisecure.util.filter.CorsFilter for more details

References

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.